GB2504841A - Providing virtual machines with redundant security programming for autonomous operation - Google Patents

Abstract

A host machine 502 manages a number of virtual machines 510 by means of a supervisory process 504. The host operates a threat management facility 508 which communicates with the virtual machines to enforce a security policy of the enterprise operating the virtual machines. The virtual machines are capable of operating in a first state 514A where they are protected through the threat management facility, and a second state 514B where the threat management facility is absent, in which the virtual machines enforce the security policy autonomously through a local security facility 204 executed on the individual VM. This allows the VM to remain protected from malicious activity in the event of communication disruption, or in circumstances where the VM is disconnected from the enterprise network and operating independently. The transition between states may be initiated automatically, or by the user.

Description

A MULTI-PART INTERNAL-EXTERNAL PROCESS SYSTEM FOR

PROVIDING VIRTUALIZATION SECURITY PROTECTION

B ACKUROUND

[0001] Field:

[0002] mc present invention is rclatcd to protection of a client machine, and more specifically the protcction of a client machinc in a virtualizcd environment.

[0003] Description of the Related Art:

[0004] Securing client machines in an enterprise is a constant challenge, especially when the client machines are part of a virtualized environment in a high availability mode whcrc disconnection from thc host system can leave thc clicnt exposed to threats (for example when mobile devices are moved off a corporate network), even when the disconnection is only a transitory state. Therefore there is a need for improved methods for protecting clients in a virtualized environment.

SUMMARY

[0005] in embodiments, the preseni invention may create a multi-part disirihuied vendor neutral virtualizalion security syslem, where two disLinct processes provide protection in an inside/outside approach lo securing distrihuled virtualization environments. In normal operation the inside process may lay dormani except for communicalion wilh Ihe outside process providing the defauli protection. in embodiments, the oulside environmeni may or may not exisi on ihe clieni device being prolecied. ii Ihe inside process can no longer communicale with the oulside process, Ihe inside process may ihen begin Ihe real Lime protecLion oF the virtualited environmeni. In Ihis way, ihe clieni may always he protecLed, even when Ihe cfienL loses connectivily with Ihe ouLside proteclion process. in some examples, ihere is provided a system. Thai system may comprise a host machinc that managcs a plurality of virtual machines. Such virtual machines may be associated with an enterprise through a supervisory process, or the like.

in some cxamplcs, thc host machinc includes a thrcat management facility couplcd in a communicating relationship with the plurality of virtual machines. In some cases, the host machine including a Lhreat managemeni facility enlorces a security policy of Ihe enterprise br ihe plurality of virtual machines.

OOO6] The syslem may Further comprise a!irst virlual machine from among Ihe pluralily of virtual machines, Ihe lirsi virtual machine heing capable of operaling in a lirsi state on lhe hosi machine. In some examp'es, Ihe securily policy may be enlbrced by thc threat management facility, and the first virtual machine may be capablc of operating in a second state. A local security facility may bc executabic on the first virtual machine to autonomously enforce the security policy in the absence of the threat management facility.

[0007] The system may he configured such that a transition from the first state to thc second state is initiated automatically whcn thc virtual machine loses thc communicating relationship with the host machine. A transition from the first state to the second state may he initiated automatically when the virtual machine loses the communicating relationship with the threat management facility. The first virtual machine may be executing on the host machine whik operating in the second state. The threat management facility may he operating on a virtual machine separate from the pluralily of virtual machines.

OOO8] The syslem may Further comprise a hardware-computing device independeni Irom Ihe host machine. The lirsi virlual machine may execute on Ihe hardware-compuling device, br examp'e, while operaling in ihe second stale. A user of Ihe hardware-compuling device may iniliale a Iransilion From Ihe lirsi state to the second slale in order Lu operate the lirsi virlual machine on ihe hardware-compuLing device, for example, independenLly of Lhe hosi machine. The hosi machine may initiaLe a Iransition from the lirsi sLaLe lo ihe second slale.

OOO9] The security policy implemenled by Ihe thcal securily facilily may he a suhsei of Lhe security poficy implemenLed hy Lhe threaL management facilily. The securily facilities may provide protection against at least onc of malicious code, a malicious application, and an unwanted application.

[0010] According to further examples of thc invention, thcre is provided a method. That method may comprise providing a host machine that manages a plurality of virtual machines. Such virtual machincs may be associatcd with an entcrprise through a supervisory process, or the like. In some exampks, Ihe method may comprise executing a Lhreat managemenl Facility on the hosi machine coupled in a communicating relationship wilh Ihe pluralily oF virtual machines. In some cases, Ihe hosi machine induding Ihe Lhreat managemenl Facility may enForce a security policy of ihe enterprise for the pluralily of virtual machines.

Fool!] mc method may comprise operating a first virtual machine from among thc plurality of virtual machines, for example, in a first state on the host machine.

In some examples, the security policy may he enforced by the threat management facility; and the mcthod may comprise operating the first virtual machine in a second state. A local security facility executable on the first virtual machine may autonomously enforce thc security policy in the absence of the threat management facility.

[0012] A transition from the first state to the second state may be initiated automatically when the virtual machine loses the communicating relationship with the threat management facility. The first virtual machine may he executing on the host machine while operating in the second state. The method may comprise a hardware-computing device independent from the host machine. The first virtual machine may be executing on Ihe hardware-computing device while operaling in ihe second slale. The security Facilities may provide prolection againsl al least one of malicious code, a malicious appficalion, and an unwanied application.

[0013] According Lo a Further example ol the invention, there is provided a compuLer program produci conligured lo provide ihe melhod of any aspecLs oF the invenlion.

[0014] In some examples, ihe compuLer program product may comprise compuLer execulahle code, for example, emhodied in a non-Iransilory compuler readahle medium. When execuLing on one or more computing devices, ihe program produci may provide a virlual machine configured Lo perForm, br example, operaLing in a firsL slate on a host machine that hosts a plurality of virtual machines and provides a threat management facility for enforcing a security policy for the virtual machine. The program product may provide opcrating in a second state, wherein thc sccond state includes a local security facility configured to autonomously enforce the security policy in the absence of thc threat management facility. A transition from the first state to the sccond state may be iniliated auLomaticálly when the virtual machine thses a communicating rdalionship with Ihe threal managemeni facilily of the hosi machine. The firsi virtual machine maybe executing on Ihe hosi machine while operating in the second slale. The compuler program produci may further comprise a hardware-computing device independeni from Ihe hosi machine. The lirsi virtual machine may he execuling on ihe hardware-compuLing device while operating in the sccond state. The sccurity facilities may providc protcetion against at least one of malicious code, a malicious application, and an unwanted application.

[0015] These and other systems, methods, objects, features, and advantages of thc present invention will be apparent to those skilled in the art from the following detailed description of the preferred embodiment and the drawings. All documents mentioned herein are hereby incorporated in their entirety by referencc.

BRIEF DESCRIPTION OF TIlE FIGURES

[0016] The invention and the following detailed description of certain embodiments thereof may be understood by reference to the following figures: [0017] Fig. 1 depicts a block diagram of a threat management facility providing proleclion to an enterprise againsi a plurality of LhreaLs.

[0018] Fig. 2 depicls a iop-levd Hock diagram of an emhodimenl of Ihe preseni invention.

[0019] Fig. 3 depicls a iop-levd Hock diagram of an emhodimenl of Ihe preseni invention, including virtualized clienis located on a server.

[0020] Fig. 4 depicls a flow diagram of an emhodimeni of the preseni invenlion.

[0021] Fig. 5 depicls a iop-levd Hock diagram an embodiment of Ihe present invenlion, including a hosi managing a plurality of virlual machines.

[0022] Fig. 6 depicls a flow diagram of an emhodimeni of the preseni invention.

[0023] While the invention has been described in connection with certain prefened embodiments, other embodiments would be understood by onc of ordinary skill in the art and are encompassed herein.

[0024] All documents referenced herein arc hereby incorporated by reference.

DETAIl ED DESCRIPTION

OO25] Fig. I depicis a block diagram oF a threal management facilily providing proieciion to an enterprise againsl a plurality of ihreais. An aspect of Ihe preseni invenlion relates io corporaie policy management and impkmentaLion through a unificd thrcat management facility 100. As will bc explaincd in more dctail below, a threat managcmcnt facility 101) may bc used to protect computcr asscts from many threats, both computer-generated threats and user-generated threats. The threat managcmcnt facility 100 may be multi-dimensional in that it may be dcsigned to protcct corporate assets from a variety of threats and it may he adapted to learn about threats in one dimcnsion (e.g. worm detection) and apply thc knowlcdge in another dimension (c.g.

spam detection). Policy management is one of the dimensions for which the threat management facility can provide a control capability. A corporation or other entity may institute a policy that prevents certain people (e.g. employees, groups of employees, types of employees, guest of the corporation, etc.) from accessing certain types of computer programs. For example, the corporation may &ect to prevent its accounting department Irom using a particular version of an instant messaging service or all such services. Tn Ihis example, Ihe policy managemeni facilily 112 maybe used lo updaie ihe policies oF all corporate computing asseis wiLh a proper policy conirol facility or ii may update a select Ièw. By using the threat management Facifity I 00 to!acililale ihe seiting, updaling and conirol of such poficies the corporation on'y needs Lobe concerned with keeping Ihe Lhreat managemenl Facility I 00 up to dale on such policies. The Lhreat managemenl facility I 00 can take care oF updaiing all of ihe oiher corporate computing assets.

OO26] It should be undersiood thai ihe ihreat managemenl Faciliiy 1 00 may provide muliiple services, and policy managemenl maybe oflered as one ol Lhe services.

We wifl now lurn lo a description of ceriain capahifities and componenls of the ihreaL managcment system 100.

[0027] Over recent years, malware has become a major problem across the internct 154. From both tcchnical and user perspectives, the categorization of a spccific threat type, whether as virus, worm, spam, phishing exploration, spyware, adware, or the like, is becoming rcduced in significance. the threat, no matter how it is categorized, may need lo he slopped at various poinis of a neiworlced computing environment, such as one ol an enterprise facility 1 02, including al one or more laptops, desktops, servers, galeways, communicalion ports, handheld or mobile devices, firewalls, and the like.

Similarly, Ihere maybe less and less henelil Lo Ihe user in having diftereni solulions br known and unknown ihreais. As such, a consolidaled ihreal managemeni faciliLy 100 may need to apply a similar set of technologics and capabilitics for all threats. In certain embodiments, the threat managemcnt facility 100 may provide a single agent on the desktop, and a single scan of any suspect file. This approach may eliminate the incvitablc overlaps and gaps in protection caused by treating viruses and spywarc as separate problems, while simultaneously simplifying administration and minimizing desktop load. As the number and range of typcs of threats has increased, so may havc the level of connectivity available to all 11 users. This may have lead to a rapid increase in the speed at which threats may move. Today, an unprotected PC connected to the internet 154 may be infected quickly (perhaps within 10 minutes) which may require acceleration for the delivery of threat protection. Where once monthly updates may have been sufficient, the threat management facility 100 may automatically and seamlessly update us produci sd againsi spam and virus threats quickly, for inslance, every five minutes, every minule, continuously, or the like. Analysis and tesling may be increasingly automated, and also maybe performed more frequently; for instance, it may he completed in IS minutes, and may do so withoul compromising quality. The Lhreat managemenl facilily 100 may also exiend techniques that may have been developed lbr virus and malware protection, and provide them to enlerprise facility 102 network administralors to better contro' their environments. In addition to stopping malicious code, the threat managemeni facility 100 may provide policy management thai may he able to control egiLimate applications, such as VoIP, instant messaging, peer-to-peer file-sharing, and the Ulce, that may undermine productivity and network performance within thc enterprise facility 102.

[0028] The threat management facility 100 may provide an enterprise facility 102 protection from computer-based malware, including viruscs, spyware, adwarc, I'rojans, intrusion, spam, policy abuse, uncontrolled access, and the like, where the enterprise facility 102 may be any entity with a networked computer-based infrastructure. In an embodiment, Fig. I may depict a block diagram of the LhreaL managemeni faciliLy 1 (JO providing proleclion to an enterprise against a plurality of LhreaLs. The enterprise facility 102 may he corporate, commercial, educational, governmental, or the like, and the enterprise faciliLy's 102 computer network maybe distrihuLed amongst a pluraliLy of facilities, and in a pluraliLy of geographical locaLions, and may indude adminisiration 134, a firewall 138A, an appliance 140A, server 142A, network devices 148A-B, clients 144A-D, such as protectcd by computer security facilities 152, and the like. Thc threat management facility 100 may include a plurality of functions, such as security managcment facility 122, policy management facility 112, updatc facility 120, definitions facility 114, network access rules facility 124, remedial action facility 128, detection techniques facility 130, testing facility 118, threat research facility 132, and the like, in embodiments, the threat protection provided by the threat management facility 100 may extend beyond the network boundaries of the enterprise facility 102 to include client facilities 144D that have moved into network connectivity not directly associated or controlled by the enterprise facility 102. Threats to client facilities 144 may come from a plurality of sources, such as from network threats 104, physical proximity threats 110, secondary locaLion Lhreats 108, and the like. Clients 144 may he protected from LhreaLs even when the client 144 is noL located in associaLion wiLh Lhe enterprise i 02, such as when a clienL I 44R-F moves in and out of the enterprise 102 such as interfacing wiLh an unprotecLed server I 42C through the Internet 154, when a client 1 44F is moving into a secondary locaLion Lhreat 108 such as interlacing with componenLs 136B, i42B, 148C, I 48D LhaL are noL protecLed, and Lhe like, in embodiments, the threat managemenL facility I 00 may provide an enLerprise Facility 102 proLection from a plurality of threats to multiplatlorm computer resources in a pluraliLy of locations and network conl'igurations, wilh an integrated sysLem approach.

OO29] in embodiments, the threat managemenL facility I 00 may he provided as a stand-alone solution. in other embodiments, the threat management facility 100 may he integrated into a third-party product. An application programming interface (e.g. a source code interface) may be provided such that the threat management facility 100 may he integrated. For instance, the threat management facility 100 may be stand-alone in that it provides direct threat protection to an enterprise or computer resource, where a protection is subscribed to direcUy 100. AlLernatively, the threat management Facility may oiler protection indirectly, Lhrough a third-parly product, where an enterprise may subscribe Lu services through the third-party product, and threat protection to the enterprise maybe provided by the threat managemeni lacilily 100 through the Lhird-parLy pr()ducL [0030] mc security managcmcnt facility 122 may include a plurality of clcmcnts that providc protection from malware to enterprise facility 102 computer resources, including endpoint security and control, email security and control, web sccurity and control, reputation-bascd filtering, control of unauthorized uscrs, control of guest and non-compliant computers, and the like. The security management facility 122 may be a software application that may provide malicious code and malicious application protection to a client facility 144 computing resource. The security management facility 122 may have the ability to scan the client facility 144 files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. In embodiments, scanning the client facility 144 may include scanning some or all of the files stored to the client facility 144 on a periodic basis, may scan applications once the applicaLion has been requesied to execuLe, may scan lies as the flIes are Lransmilted to or from Lhe clienL facihLy 144, or the like.

The scanning of Lhe applications and iiles maybe Lo detect known malicious code or known unwanted applications. In an embodimeni, new malicious code and unwanted apphcations maybe continuafly developed and distrihuLed, and updates to Lhe known code dalahase may he provided on a periodic basis, on a demand basis, on an alert basis, or ihe like.

OO31] In an emhodimenL, ihe security managemeni facility 122 may provide br email security and conirol, where securily management may help Lu efiminaLe spam, viruses, spyware and phishing, control oi email conLeni, and ihe like. The security managcmcnt facility's 122 email sccurity and control may protcet against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtcring, and the like, in an embodimcnt, security management facility 122 may providc for web security and control, where security management may help to detect or block viruses, spyware, malwarc, unwantcd applications, help control web browsing, and the Uke, which may provide comprehensive web access conirol enabling sale, produclive web browsing. Weh security and conirol may provide inlernel use policies, reporling on suspeci devices, securily and content liltering, aclive moniloring of neiworlc fta!iic, URI liltering, and the like. In an embodiment, the securily management faciliLy 122 may provide br neiworlc access conirol, which may provide conlrol over neiworlc conncctions. Network control may stop unauthorized, gucst, or non-compliant systcms from accessing networks, and may control network traffic that may not be bypasscd from the client level. In addition, network access control may control access to virtual private networks (VPN), where VPNs may be a communications nctwork tunneled through another network, establishing a logical connection acting as a virtual network. In embodiments, a VPN may be treated in the samc manner as a physical network.

[0032] In an embodiment, the security management facility 122 may provide for host intrusion prevention through behavioral based protection, which may guard against unknown threats by analyzing behavior before software code executes.

Behavioral based protection may monitor code when it runs and intervene if the code is deemed to be suspicious or malicious. Advantages of behavioral based protection over runlime proteclion may include code being prevented from running, whereas runlime proleelion may only inlerrupi code that has already parlly executed; behavioral protection may idenLify mahcious code al the gateway or on the bile servers and deletes it before reaching end-point computers and the like.

[0033] In an embodimenl, ihe security managemeni facility 1 22 may provide br repulalion filtering, which may targel or idenlify sources of known malware. For inslance, repulation lillering may include lisis of URIs of know-n sources of malware or known suspicious IP addresses, or domains, say for spam, that when detected may invoke an aclion by ihe threat management laciliLy iOU, such as dropping ihem immediaLely. By dropping the source before any inleracLion can initiale, potential threal sources may be thwarted before any exchange of data can be made.

[0034] In embodiments, information may be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 100. For example, the types, times, and number of virus interactions that a client experiences may provide useful information for the preventions of future virus threats. This type of feedback may he useful!or any aspeci of threal detection.

Feedback ol inlormation may also he associaled wiih behaviors of individuals within the enterprise, such as being associaled with mosi common violations 0! policy, neiwork access, unaulborited application loading, unaulhorized external device use, and the like.

In embodiments, this type ol inlormation feedback may enable the evauat1()n orproliling of clicnt actions that are violations of policy that may provide a prcdictive model for the improvement of enterprisc policies.

[0035] In an embodiment, the security management facility 122 may provide for the overall sccurity of thc enterprisc facility 102 network or set of enterprise facility 102 networks, may provide updates of malicious code information to the enterprise facility 102 network, and associatcd clicnt facilitics 144. The updates may be a planncd update, an update in reaction to a threat notice, an update in reaction to a request for an update, an update based on a search of known malicious code information, or the like.

The administration facility 134 may provide control over the security management facility 122 when updates are performed. The updates maybe automatically transmitted without an administration facility's 134 direct control, manually transmitted by the adminisiralion facility 134, or ihe like. The security management facility 122 may include the management oF receiving malicious code descriptions liom a provider, disirihulion oF malicious code descriptions to enlerprise facilily 102 networks, disirihulion oF malicious code descriptions to clieni Facifihies 144, or the like. In an embodiment, the managemeni of malicious code ink)rmalion may he provided lo Ihe enterprise faciliLy's 102 neiwork, where Ihe enterprise FaciliLy's 102 network may provide Ihe malicious code iniormalion ihrough the enterprise faciliLy's 102 nelwork distrihulion system.

OO36] The threal management facilily 100 may provide a policy managemenL facility 112 ihal maybe able lo block non-malicious applicalions, such as VoIP 164, instant mcssaging 162, peer-to-pcer file-sharing, and thc like, that may undemüne productivity and network performance within the enterprise facility 102. The policy managcment facility 112 may be a set of rules or policics that may indicate entcrprise facility 102 access permissions for the client facility 144, such as access permissions associatcd with the nctwork, applications, external computer dcvices, and the like. The policy management faciliLy 1 12 may include a dalahase, a lext lile, a combination of databases and Lext files, or ihe like. In an emhodimenL, a policy dalahase may he a block fist, a black lisi, an allowed lisi, a while lisi, or the like ihal may provide a lisi of enterprise faciliLy 102 exLernal network locations/applications thai may or may not he accessed by ihe client laciliLy 144. The policy managemenL faciliLy 112 may include rules that may bc intcrprctcd with respcct to au cnterprise facility 102 network acccss rcquest to detcrminc if the rcquest should be allowed. Thc rules may provide a generic rule for the type of access that may he granted: the rules may be related to the policies of an enterprise facility 102 for access rights for the cnterprise facility's 102 client facility 144. For example, there may be a rule that does not permit access to sporting websites.

Whcn a website is requcsted by the client facility 144, a security facility may access thc rules within a policy facility to determine if the requested access is related to a sporting website. In an embodiment, the security facility may analyze the requested website to determine if the website matches with any of the policy facility rules.

[0037] The policy management facility 112 may be similar to the security management facility 122 hut with the addition of enterprise facility 102 wide access rules and policies ihat may he disirihuted Lo mainLain control of client ladiliiy 144 access Lo enterprise faciliLy 102 neLwork resources. The policies maybe delined for application Lype, suhsei of application capahililies, orgarnzalion hierarchy, computer facility type, user type, network location, Lime of day, connecLion Lype, or Lhe like. Policies may be maintained by ihe administration facility 134, ihrough Ihe LhreaL management faciliLy IOU, in associaLion with a ihird parly, or Lhe like. For example, a policy may restrici TM 162 activily lo only support personnel For communicating wiLh customers. This may allow communicaLion for departmenls requiring access, hut may mainlain the network handwidLh for oiher acLiviLies by restricting ihe use of TM 162 Lu only ihe personnel Lhal need access lo TM 1 62 in supporl of Lhe enlerprise Facility I 02. Tn an emhodimenl, ihe policy management facility 112 may be a stand-alone application, may be part of thc network server facility 142, maybe part of the enterprise facility 102 network, maybe part of the client facility 144, or thc like.

[0038] In embodiments, the threat management facility 100 may provide configuration managcmcnt, which may be similar to policy management, but may speci lically examine the conhguration set of applications, operating syslems, hardware, and the like, and managing changes to their conligurations. Assessment ola conliguration maybe made against a standard conliguration policy, detection of conliguration changes, remediation ol improper conliguration, application ol new conligurations, and the like. An enterprise may keep a set oF standard configuration rules and policies which may represent the desired state of the device. For example, a client firewall may be runrnng and installed, but in the disabled state, where remcdiation may he to enable the firewall. In another example, the enterprise may set a rule that disallows the use of IJSB disks, and sends a configuration change to all clients, which turns off USB drive access via a registry.

[0039] In embodiments, the threat management facility 100 may also provide for the removal of applications that may interfere with the operation of the threat management facility 100, such as competitor products that may also be attempting similar threat management functions. The removal of such products may be initiated automatically whenever such products are detected. In the case where such applications are services are provided indirectly though a third-party product, the application may be suspended until aclion is taken to remove or disable the third-parly product's protection facility.

[0040] Threat managemeni against a sometimes quickly evolving malware environment may require timely updates, and the update management Facility 120 maybe provided by the threat management facility 100. In addition, a policy management facility 112 may also require update management (e.g. as provided by Ihe update Facility I 20 herein described), as the enterprise facility 1 02 requirements For policies change enterprise facility 102, cflent Facility 144, server facility 142 enterprise Facility 102. The update management For the security Facility 122 and policy managemeni facility 112 may he provided directly hy the threat management Facility 100, such as hy a hosted system or in conjunction with the administration facility 134. In embodiments, the threat management facility 100 may provide for patch management, where a patch may he an update to an operating system, an application, a system tool, or the like, where one of the reasons for the patch is to reduce vulnerability to threats.

OO41] In embodiments, the securily facilily 122 and po icy management facility 112 may push inlormation Lo the enlerprise Iheilily I 02 neLwork and/or clieni facility 144, the enterprise facility 102 neiwork and/or client faciliLy 144 may pull inlormaLion from the securily FaciliLy 122 and policy managemeni Facility 112 neLwork server FaciliLies 142, there maybe a comhinaLion ol pushing and pulling olmiormalion bctwccn the sccurity facility 122 and thc policy management facility 112 network servers 142, enterprise facility 102 network, and client facilities 144, or the like. For cxample, the enterprise facility 102 network and/or client facility 144 may puil information from thc security facility 122 and policy managemcnt facility 112 network servcr facility 142 may request the information using the security facility 122 and policy management facility 112 updatc module; the request may be based on a certain time pcriod, by a certain time, by a date, on demand, or the like. In another example, the security facility 122 and policy management facility 112 network servers 142 may push the information to the enterprise facility's 102 network and/or client facility 144 by providing notification that there are updates available for download and then transmitting the information. The combination of the security management 122 network server facility 142 and security update module may luncLion substantially ihe same as the policy management Facifily 12 network server and poficy updaLe module by providing miormation to the enLerprise facility 102 neLwork and ihe clieni FaciliLy 144 in a push or pull method. In an embodiment, the poficy management faciliLy 112 and Lhe securiLy Facility 122 managemeni update modules may work in concerl to provide all ihe needed information Lu the enLerprise faciliLy' s I 02 neLwork andlor dienL facilily 144 br control ol apphcaiion execution. In an embodiment, the poficy updaie module and security update module may he combined mb a single update module.

OO42] As threats are idenlified and characieriied, ihe Lhreal managemenb facility I 00 may create debinibion updabes Ihat may he used bo allow the lhreab managcment facility 100 to detect and rcmediate the latest malicious softwarc, unwanted applications, configuration and policy changes, and the like. The threat definition facility 114 may contain thrcat idcntification updatcs, also referred to as definition files. A definition file may he a virus identity file that may include definitions of known or potential malicious code. Thc virus identity (IDE) definition files may provide inlormalion Ihal may identify malicious code within liles, applications, or the like. The definition files may he accessed by security managemeni facilily 122 when scanning flies or applicalions within the clieni facifily 144 for Ihe determination ol malicious code that maybe wiihin Ihe file or applicalion. The definition files may conlain a number of commands, definilions, or inslruclions, to he parsed and acted upon, or Ihe like. Tn embodiments, the client facility 144 may be updated with new definition files periodically to provide the client facility 144 with the most recent malicious code definitions; the updating may be performed on a set time period, may he updated on demand from the client facility 144, may be updated on demand from the network, may he updated on a received malicious code alert, or the like. In an embodiment, the client facility 144 may request an update to the definition files from an update facility 120 within the network, may request updated definition files from a computing facility external to the network, updated definition files may be provided to the client facility 114 from within the network, definition files may he provided to the client facility 144 from an external computing facility from an external network, or the like.

[0043] In an embodiment, a definition management facility 114 may provide br the timely updates of definilion files inlormaLion 10 ihe network, clieni facihiies 144, and Lhe like. New-and alLered mahcious code and malicious applicaLions maybe conlinually created and disirihuied Lo networks worldwide. The definition files Ihat maintain the definilions of the malicious code and malicious applicalion informaLion br Ihe prolecLion of the neiworks and client facililies 144 may need continual updaLing to provide conLinual defense of Ihe network and clienl facility 144 from the malicious code and malicious applications. The definition files management may provide br automalic and manual meihods of updating the definition files. in emhodimenls, the network may receive debiniLion flies and disirihute the definiLion files to the neiwork clieni faciliLies 144, the clieni facilities i 44 may receive Lhe definilion files directly, or the network and client facilities 144 may both receive the definition files, or the like, in an embodiment, the definition files may he updated on a fixed periodic basis, on demand by the network and/or the client facility 144, as a result of an alert of a new malicious code or malicious application, or the like. In an embodiment, the definition files may be released as a supplemental file 10 an existing definition flIes to provide br rapid updating of the definition flies.

[0044] In a similar manner, the security management facility 122 may he used Lo scan an outgoing bile and verify thai ihe outgoing bile is permitted to he transmitted per ihe enterprise facility 102 rules and poficies. By checking outgoing flies, the security managcment facility 122 may be able discover malicious code infectcd files that werc not dctectcd as incoming files as a result of the client facility 144 having been updated with either new definition files or policy management facility 112 information. The definition files may discover thc malicious code infected file by having received updates of developing malicious code from the administration facility 134, updates from a definition files provider, or the like. The policy management facility 112 may discover the malicious code infected file hy having received new updates from the administration facility 134, from a rules provider, or the like.

[0045] The threat management facility 100 may provide for a way to control access to the enterprise facility 102 networks. For instance, the enterprise facility 102 may want to restrict access to certain applications, networks, files, printers, servers, databases, or the like. In addition, the enterprise faciliiy 1 02 may want to restrict user access under certain conditions, such as the user's location, usage history, need to know, joh position, connection type, time of day, method of authentication, clieni-sysiem conliguration, or the like. Network access rules may he developed by the enterprise facility I 02, or pre-packaged by a supplier, and managed hy the threai management facility IOU in conjunction with the administration facility 134. Network access ruies and control may he responsible for determining if a client facility 144 appficalion should he granted access to a requested network ocation. The network thcation may he on the same neiwork as the facility or may he on another network. In an embodiment, the network access control may verify access rights for client facilities 144 from within the network or may verify access rights of computer facilities from external networks. When network access for a client facility 144 is denied, the network access control may send an information file to the client facility 144, the information file may contain data or commands that may provide instructions for the remedial action facility 128. The information sent by the network access facility 124 control may be a data file. the data lile may conlain a number ol commands, definitions, instructions, or commands Lo he parsed and acted upon through the remedial action facility 1 28, or ihe like. The inlormalion seni by the neiworlc access FaciliLy 124 contr& may he a command or command file Ihat Ihe remedial action Facility 128 may access and take aclion upon.

OO46] In an embodimeni, ihe network access rules 1 24 may provide an infonnation storc to be accessed by the nctwork access control. The network access rules facility 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not he accessed by the client facility 144. Additionally, the network access rules facility 124 may incorporate rule evaluation; the rule evaluation may parse network access requests and apply the parsed information to network access rules. The network access rule facility 124 may have a generic set of rules that may he in support of an enterprise facility's 102 network access policies, such as denying access to certain types of websites 158, controlling instant messenger 162 accesses, or the like. Rule evaluation may include regular expression rule evaluation, or other rule evaluation method for interpreting the network access request and comparing the inLerprelation to the eslabflshed rules For network access. In an embodiment, the neiwork access rules faciliiy 124 may receive a rules evalualion requesl from the neiwork access conirol and may return the rules evalualion Lo Ihe neiwork access conirol.

OO47] Similar lo the threal delinilions Facilily 114, the network access rule facility I 24 may provide updaied rifles and policies to the enterprise Facility I 02. The network access rules Facility 124 may he mainlained by Ihe network adminisiralion facility 134, using neiwork access rules Facilily 124 managemenl. In an embodimenl, ihe network adminisiralion Facility 134 maybe able Lo mainlain a set oF access rules manually by adding rules, changing ruks, deleting rules, or Ihe Uke. Additionally, the administration facility 134 may be able to retrieve predefincd rule sets from a provider that may provide a set of rules to be applied to an entire enterprise facility 102. The network administration facility 134 may be able to modify the predcfined rules as needed for a particular enterprise facility 102 using the network access rules management facility 124.

OO48] V/ben a Lhreai or policy violation is detected by the threal managemeni facility IOU, the threat managemeni faciliLy 100 may provide br a remedial acLion facility 128. Remedial action may take a pluralily of forms, such as Lerminating or modibying an ongoing process or interaction, sending a warning to a clieni or administration Facilily 134 o1 an ongoing process or interaction, executing a program or application Lu remediale against a threat or violation, record interactions for subsequent evaluation, or the like.

Remcdial action may be associated with an application that responds to information that a client facility 144 network access request has been denied. In an embodiment, when the data file is reccived, remedial action may parsc thc data file, intcrpret the various aspccts of the data file, and act on the parsed data file information to determine actions to he taken on an application requesting access to a denied nctwork location, in an embodiment, when the data file is received, remedial action may access the threat definitions to parse the data file and determine an action to be taken on an application requesting access to a denied network location. In an embodiment, the information received from the facility may he a command or a command file. The remedial action facility may carry out any commands that are received or parsed from a data file from the facility wiLhouL perlorming any inlerpreLalion of Ihe commands. In an emhodimenL, the remedial action faciliLy may interact with Ihe received information and may perlorm various aclions on a clieni requesting access lo a denied neLwork localion. The acLion maybe one or more ol continuing Lu Hock all requesLs Lu a denied network location, a malicious code scan on the applicaLion, a malicious code scan on Lhe client faciliLy 144, quaranLine oF ihe applicaLion, LerminaLing Lhe application, isolation of ihe applicaLion, isolalion of the clieni bacflity 144 to a locaLion wiLhin ihe network that restrieLs neLwork access, hlocking a neiwork access porl From a cflenL facilily 144, reporLing Lhe appficalion Lo a adminisiralion facility 134, or Lhe Uke.

OO49] Remedial action may he provided as a resuk of a deteclion of a threat or violation. The detcction tcchniques facility 130 may includc monitoring thc entcrprisc facility 102 network or end-point devices, such as by monitoring streaming data through thc gateway, across the network, through routers and hubs, and thc like. Tie dctection techniques facility 130 may include monitoring activity and stored files on computing facilities, such as on scrvcr facilities 142, dcsktop computers, laptop computers, othcr mobile computing devices, and the like. Detection techniques, such as scanning a computer's stored flies, may provide the capahifity of checking flies for stored lhreats, either in the active or passive state. Detection techniques, such as streaming file management, may provide the capability ol checking files received at the network, gateway facility, client facility 144, and the like. This may provide the capability of not allowing a streaming file or portions of the strcaming file containing malicious code from cntering the client facility 144, gatcway facility, or network. In an embodiment, the streaming file may he broken into blocks of information, and a plurality of virus identities may be used to check each of thc blocks of information for malicious code. In an embodiment, any blocks that are not determined to he clear of malicious code may not he delivered to the client facility 144, gateway facility, or network.

[0050] Verifying that the threat management facility 100 is detecting threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 118 may allow the administration facility 134 to coordinate the testing of the security configurations of client facility 144 computing facilities on a network. The administration facility 134 maybe able 10 send test flies to a set ol client facility 144 computing facilities to test the ability of the client facility 144 to determine acceptability of the test file. Alter the test lile has been transmitted, a recording facility may record the actions taken by the client facility 144 in reaction to the test file. The recording facility may aggregate the testing information from the client facility 144 and report the testing inlormation to the administration facility 134. The administration facility 134 maybe able to determine the level ol preparedness of the client facility 144 computing facilities by the reported information. Remedial action may be taken for any of the client facility 144 computing facilities as determined by the administration facility 134; remedial action maybe taken by the administration facility 134 or by the user of the client facility 144.

[0051] Thc threat research facility 132 may providc a continuously ongoing effort to maintain the threat protection capabilities of the threat management facility 100 in light of continuous generation of new or cvolved forms of malware. threat research may include researchers and analysts working on known and emerging malware, such as viruses, rootkits a spyware, as well as other computer threats such as phishing, spam, scams, and the like. Tn emhodimenLs, lhrough threal research, the lhreai managemeni facility IOU maybe able Lo provide swill, global responses to the lalesi threaLs.

OO52] The threai management faciliiy 100 may provide ihreal protection to Ihe enLerprise faciliLy 102, where the enlerprise faciliiy 102 may include a pluralily of networked componenls, such as client Facility 144, server facility 142, administration facility 134, fircwall 13S, gateway, hubs and routers 148, thrcat managemcnt appliance 140, desktop users, mobile users, and the likc. in embodimcnts, it may be the end-point computer security facility 152, located on a computer's desktop, which may provide threat protcction to a user, and associatcd entcrprise facility 102. in embodiincnts, the term end-point may refer to a computer system that may source data, receive data, cvaluate data, buffer data, or thc like (such as a user's dcsktop computer as an end-point computer), a firewall as a data evaluation end-point computer system, a laptop as a mobile end-point computer, a PDA as a hand-held end-point computer, a mobile phone as an end-point computer, or the like. In embodiments, end-point may refer to a source or destination for data, including such components where the destination is characterized by an evaluation point for data, and where the data may be sent to a subsequent destination alter evaluation. The end-poini computer security!aciliiy 152 maybe an applicalion oaded onlo the compuLer plallorm or compuLer support componenl, where ihe application may accommodate the pluraliLy of computer plallorms andlor fttnctional requiremenis of the componenl. For instance, a clieni faciliLy 144 compuLer may he one olapurality ol compuierplailorms, such as Windows, Maciniosh, Linux, and the like, where ihe end-poinL computer security Facifity 152 maybe adapted 10 ihe specilic phuLlorm, while maintaining a urniorm produeL and produci services across platforms.

Additionally, componenis may have dilTereni functions to serve within the enterprise facility's I 02 neiworked compuLer-hased infrastructure. For insLance, computer support componenls provided as hubs and rouLers 148, server facility 142, lirewalls 1 3S, and the like, may requirc unique security application softwarc to protect their portion of thc system infrastructure, while providing an element in an integrated threat management system that extends out beyond the thrcat managcment facility 100 to incorporatc all computer resources under its protection.

OO53] The enlerprise Facility 102 may include a plurality of client Facilily 144 compuling plaiforms on which Ihe end-poini compuler securily facility 152 is adapted. A cfient faciliLy 144 computing platform may he a computer system Lhat is able to access a service on another computer, such as a server VacUity 142, via a neiwork. This client facility 144 server facility 142 model may apply 10 a pluralily of networked applicaLions, such as a clicnt facility 144 connecting to an enterprise facility 102 application scrver facility 142, a web browser client facility 144 connccting to a web server facility 142, an e-mail client facility 144 retrieving e-mail from an internet 154 service provider's mail storage servers 142, and the like. In embodimcnts, traditional large client facility 144 applications maybe switched to websites, which may increase the browser's role as a client facility 144. Clients 144 may be classificd as a function of the extent to which they perform their own processing. For instance, client facilities 144 are sometimes classified as a fat client facility 144 or thin client facility 144. The fat client facility 144, also known as a thick client facility 144 or rich client facility 144, may he a client facility 144 that performs the bulk of data processing operations itself, and does not necessarily rely on the server facility 142. The fat client facility 144 may he most common in the form of a personal computer, where ihe personal computer may operate independent of any server facility 142. Programming environmenis br faL clients 144 may include CURT, Delphi, DropleLs, Java, win32, Xli, and the like. Thin clients 144 may oiler minimal processing capahiliLies, For instance, the thin clieni FaciliLy 144 may primarily provide a graphical user interface provided by an applicaLion server Facility 142, which may perform the hulk of any required data processing. Programming environmenls For ihin clients 144 may include JavaScript/AJAX, ASP, JSP, Ruby ri Rails, Python's Django, PHP, and the Uke.

The client facility 144 may also he a mix of the two, such as processing dala locally, hut relying on a server facility 142 for data storage. As a result, this hybrid client Facilily 144 may provide benefits From both the ha client Facility i 44 type, such as muhimedia support and high performancc, and the thin clicnt facility 144 type, such as high manageability and flexibility. In embodiments, the threat management facility 100, and associatcd end-point computer security facility 152, may provide scamlcss thrcat protection to the plurality of clients 144, and client facility 144 types, across the cntcrprisc facility 102.

OO54] A computer, such as Ihe end-point cfleni 144, server 142, and Ihe like, maybe a physical compuling machine, Ihal is, it may act as a single processing entity, where there is a single operating syslem on the machine, and which has afi of the physical resources of Ihe physical machine available for us use. However, a compuler may also he partitioned or multiplexed into a pluralily of virtual computing machines, such as whcrc each virtual computing machine runs its own operating system. One of the rcasons for implementing a virtual computing machine configuration is to establish multiple isolated virtual machines on a single hardware platform, such as for running a plurality of client virtual machines on a server, for quality of service offered to different cntcrprisc customer servers operating on the same physical server 142, the ability to run different types of operating systems on a single platform, providing a unique instruction sct architecture to one virtual machine verses another, and the like. In embodiments, a plurality of virtual computing machines configured on a single physical computing machine may each have their own copies of the end-point computer security facility 152, such as all running on the same physical computing machine, distributed amongst at least two computing machines, and the like.

OO55] The enlerprise Facility 102 may include a p'urality of server facilities 142, such as appflcalion servers, communications servers, file servers, dalahase servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. A server facility 142, Which may also he referred to as a server Ihdility 142 application, server facility 142 operating system, server faciliLy 142 compuLer, or Ihe Uke, may he an application program or operating system that accepts clienL facilily 144 connections in order lo service requesLs from clienis 1 44. The server facility 142 application may run on Ihe same compuler as Ihe cflenL facilily 144 using ii, or the server facility 142 and Ihe cfienL faciliLy 144 maybe running on different compulers and communicaLing across the network. Server faciliLy 142 applications may he divided among server Facility 142 computers, with the dividing dcpcnding upon the workload. For instance, under light load conditions all server facility 142 applications may run on a single computer and undcr heavy load conditions a single server facility 142 application may run on multiple computers. In embodiments, the threat management facility 100 may provide threat proleclion lo server Facilities 142 within the enterprise Facilily I 02 as thad conditions and application changes are made.

OO56] A server Facilily 142 may also bean appfiance Facility 140, where Ihe appliance facifity 140 provides specilic services onlo Ihe neiwork. Though ihe appliance facility 140 is a server facility 142 compuler, that maybe thaded with a server facility 142 operating systcm and server facility 142 application, the cnterprise facility 102 user may not need to configure it, as the configuration may have been performed by a third party. In an embodiment, an enterprise facility 102 appliance may be a server facility 142 appliance that has been configurcd and adaptcd for use with the threat management facility 100, and located within the facilities of the enterprise facility 102. The enterprise facility's 102 threat managcmcnt appliance may enable the enterprise facility 102 to administer an on-site local managed threat protection configuration, where the administration facility 134 may access the threat resources through an interface, such as a web portal. In an alternate embodiment, the enterprise facility 102 may be managed remotely from a third party, vendor, or the like, without an appliance facility 140 located within the enterprise facility 102. In this instance, the appliance functionality maybe a shared hardware produci heiween pluralities oF enlerprises 1 02. Tn emhodimenLs, Ihe appliance facifity 140 may he localed al the enterprise facility 1 02, where ihe enterprise facility 102 mainlains a degree ol conirol. In emhodimenls, a hosted service may he provided, where Ihe appliance 140 may still he an on-site black box lo Ihe enlerprise facility 102, physically placed Ihere because of infrastructure requiremenis, hut managed hy a third parly, vendor, or Ihe like.

OO57] Simple server facilily 142 appliances may also he uLiliied across the enterprise faciliLy's 102 neiwork inirasiructure, such as switches, routers, wireless roulers, hubs and roulers, gaLeways, prini servers, nd modems, and the like. These simp'e server Facilily appliances may not require conliguration by the enlerprise facilily 102, but may rcquire protection from threats via an end-point computer sccurity facility 152. These appliances may provide interconnection services within the enterprise facility 102 network, and therefore may advance the spread of a threat if not properly protcctcd.

[0058] One way for a client facility 144 to he protected from threats from within the enterprisc facility 102 network may be a personal fircwall. A pcrsonal fircwall may be an application that conirols neiwork traffic to and liom a client, permitling or denying communications based on a security policy. Personal firewalls may he designed br use by end-users, which may resull in proleclion br only the compuler on which il's inslalled. Personal lirewalls may he ahle to control network traffic by providing prompis each Lime a connection is atiempled and adapling securily policy accordingly. Personal tirewalls may also provide somc level of intrusion detection, which may allow the software to terminate or block conncctivity where it suspects an intrusion is being attempted. Other features that may he provided by a personal firewall may include alerts about outgoing conncction attempts, control of program access to nctworks, hiding thc client from port scans by not responding to unsolicited network traffic, monitoring of applications that may be listening for incoming connections, monitoring and regulation of incoming and outgoing network traffic, prevention of unwanted network traffic from installed applications, reporting applications that make connection attempts, reporting destination servers with which applications may he attempting communications, and the like. In embodiments, the personal firewall may he provided by the threat management facility 100.

OO59] Anoiher imporlanl component IhaL may he protecled by an end-poini compuler securily facility 152 is a neiwork firewall Facility 138, which may he a hardware or soFtware device ihal may he conligured lo permil, deny, or proxy dala Lhrough a compuler neiwork ihal has different evels of trusL in its source oF daLa. For insLance, an iniernal enlerprise Facilily 102 network may have a high leve' oF trusi, hecause ihe source of all dala has been sourced from within ihe enterprise facility 1 02.

An exampk of a low-level of Lrusl is the InierneL 154, because Ihe source of data maybe unknown. A tone wiih an inlermediaLe Lrusl level, siLualed heLween the TnterneL 154 and a trusted internal neiwork, may he referred Lo as a "perimeler neiwork". Since lirewall facilities I 38 represenl boundaries between Lhreat levds, the end-poini computer security facility 152 associated with the firewall facility 13S may providc resourccs that may control the flow of threats at this enterprise facility 102 network entry point. Firewall facilities 138, and associatcd end-point computcr sceurity facility 152, may also be associated with a network node that may he equipped for interfacing between networks that use different protocols. In embodimcnts, the end-point computer security facility 152 may provide lhreai proleclion in a pluralily oF neiwork infrastructure localions, such as al the enlerprise facility 102 network entry point, i.e. the Firewall facilily 138 or galeway; al the server Facilily 142; at disirihulion poinls within the neiwork, i.e. the hubs and routers 148; at Ihe deskiop ol clieni facility 144 compulers; and the like. Tn embodiments, the mosi efleelive location br LhreaL delection may heal Ihe user's computer dcsktop cnd-point computer sccurity facility 152.

[0060] Thc interfacc between the threat management facility 100 and thc enterprise facility 102, and through the appliance facility 140 to embedded end-point computer sccurity facilities, may include a set of tools that may be the same for all enterprise implementations, hut allow each enterprise to implement different controls. In cmbodiments, these controls may include both automatic actions and managed actions.

Automatic actions may include downloads of the end-point computer security facility 152 to components of the enterprise facility 102, downloads of updates to existing end-point computer security facilities of the enterprise facility 102, uploaded network interaction requests from enterprise facility 102 components to the threat management facility 100, and the like. In embodiments, automatic interactions between the enterprise facility 102 and Ihe lhrea management facifity IOU may he con Ii gured by the threat managemeni facility IOU and an administration Facility 134 in Ihe enterprise facilily 102. The adminislralion facility 134 may conligure policy rules Ihal delermine inleracLions, such as devdoping rules br accessing applicalions, as in who is aulhoriied and when applications may he used; eslablishing rules or ethical behavior and activities; ru'es governing ihe use of enterlainmeni sofiware such as games, or persona' use software such as TM 162 and VoIP 164; rules For determining access to enterprise Facilily 102 compuling resources, including auLhenticaLion, levels of access, risk assessmenl, and usage hislory tracking: rules br when an aclion is not allowed, such as whether an aclion is complelely deigned or jusi modified in its execution; and ihe Uke. The administralion facility 134 may also establish license managcment, which in turn may further determine interactions associated with a licensed application. In embodiments, interactions between thc threat management facility 100 and the enterprise facility 102 may provide threat protection to the enterprise facility 102 by managing the flow of network data into and oul of the enterprise Facility I 02 through aulomalic actions Ihal may he conligured hy the threat management Facility IOU or the administration facility 134.

[0061] Client Facilities 144 within the enterprise facility 102 may he connected to the enterprise facility 102 nelwork hy way of wired network facilities I 48A or wirdess network facilities 1 48B. Client facilities 144 connected to the enterprise facility 102 network via a wircd facility I4SA or wireless facility 148B may rcccive similar protection, as both conncction typcs are ultimately conncctcd to thc samc enterprise facility 102 network, with the same end-point computer security facility 152, and thc samc threat protccted cntcrprise facility 102 environment. Mobile wirclcss facility clients 144B-F, because of their ability to connect to any wireless 148B,D nctwork acccss point, may connect to thc intcrnct 154 outside thc enterprise facility 102, and therefore outside the threat-protected environment of the enterprise facility 102. In this instance the mobile client facility 144B-F, if not for the presence of the end-point computer security facility 152 may experience a malware attack or perform actions counter to enterprise facility 102 established policies. In addition, there may be a plurality of ways for the threat management facility 100 to protect the out-of-enterprise facility 102 mobile client facility 144D-F that has an embedded end-point computer security Facility 152, such as by providing URI liltering in personal routers, using a weh appliance as a DNS proxy, or the like. Mobile client facilities I 44D-F thai are components of the enterprise Facility 102 hut temporarily outside connectivity with the enterprise facility 102 network, may he provided with the same threat protecLion and policy control as client Facilities 144 inside the enterprise Facility 102. In addition, mobile client Facilities I 44B-F may receive the same interactions to and from the threat management facility 100 as client facilities 144 inside the enterprise facility 102, where mobile client Facilities I 44B-F may he considered a virtua' extension of the enterprise facility I 02, receiving afl the same services via their embedded end-point computer security facility 152.

[0062] Interactions hetween the threat management facility 100 and the components of the cntcrprise facility 102, including mobile client facility 144B-F extensions of the enterprise facility 102, may ultimately he connected through the internet 154. Threat managemcnt facility 100 downloads and upgrades to the enterprise facility 102 may he passed from the lirewalled networks oF the threat management facility 100 through to the end-point computer security facility 152 equipped components of the enterprise facility 102. In turn the end-point computer security facility 1 52 components oF the enterprise facility 102 may upload policy and access requests hack across the internet 1 54 and through to the threat management Facility 1 00. The Tnternet I 54 however, is also the path through which threats may be transmitted from their source.

These network threats may include threats from a plurality of sources, including websites 158, e-mail 160, IM 162, VoIP 164, application software, and the like. These threats may attempt to attack a mobile enterprise client facility 144B-F equipped with an end-point computer security facility 152, hut in embodiments, as long as the mobile client facility 144B-F is embedded with an end-point computer security facility 152, as described above, threats may have no better success than if the mobile client facility 144B-F were inside the enterprise facility 102.

[00631 however, if the mobile client facility 144 were to attempt to connect into an unprotected connection point, such as at a secondary location 108 that is not a part of the enterprise facility 102, the mobile client facility 144 may be required to request network interactions through the threat management facility 1 00, where contacting the threat management Facility IOU maybe perFormed prior to any other network action. In embodiments, the client Facility's 144 end-point computer security facility 152 may manage actions in unprotected network environments such as when the client facility I 44F is in a secondary location 1 08 or connecting wirelessly to a non-enterprise Facility 102 wireless internet connection, where the end-point computer security facility 152 may dictate what actions are allowed, blocked, modilied, or the Uke. For instance, if the client facility's 144 end-point computer security facility 152 is unable to estahflsh a secured connection to the threat management facility 1 00, the end-point computer security Facility 152 may inform the user oF such, and recommend that the connection not he made. Tn the instance when the user chooses to connect despite the recommendation, the end-point computer security facility 152 may perform specific actions during or after the unprotected connection is made, including running scans during the connection period, running scans after the connection is terminated, storing interactions for subsequent threat and policy evaluation, contacting the threat management facility 100 upon first instance oF a secured conneclion br bürLher actions and or scanning,restricLing access to neiwork and loca' resources, or the like. Tn embodimenis, the end-poini compuler securily Facilily 152 may perborm speciflc actions to remediae possible LhreaL incursions or policy violations during or alter the unprotecled conneclion.

[0064] The secondary locaLion 108 may have no end-poini compuLer securily facilities 152 as a part of its computer components, such as its tIrewalls 13 SB, servers 142B, clients 144(1, hubs and routers 148C-D, and the like. As a result, the computer components of the secondary location 108 may he open to threat attacks, and become potential sourccs of thrcats, as well as any mobilc cntcrprisc facility clients 144B-F that maybe connected to the secondary location's 108 network. In this instance, these computer components may now unknowingly spread a threat to other components connected to the network.

[0065] Some threats may not come directly from the Internet 154, such as from non-enterprise facility controlled mobile devices that are physically brought into the enterprise facility 102 and connected to the enterprise facility 102 client facilities 144.

The connection maybe made from direct connection with the enterprise facility's 102 client faciliLy 144, such as through a USB port, or in physical proximily with ihe enterprise faciliLy's 102 client Facility 144 such that a wireless faciliLy connection can he established, such as Lhrough a BlueLooth connection. These physical proximity threats 1 0 may he anoLher mohfle compuLing device, a poriahle memory storage device, a mobile communications device, or the like, such as CDs and DVDs 170, memory stick 174, Flash drive 174, extemal hard drive, cefl phone 178, PDAs ISO, MP3 players, digital cameras, point-b-point devices, digibal picture Frames, digilal pens, navigabion devices, appliances, and the like. A physical proximily LhreaL liD may have been previously inflltraLed by neiworlc ihreals while connected lo an unprotecbed neiworlc connecbion oulside the enterprise facility I 02, and when connecLed to the enberprise Facilily 1 02 client facility 144, pose a threat. Because of their mobile nature, physical proximity threats 110 may infiltrate computing resources in any location, such as being physically brought into the enterprise facility 102 sitc, connected to an enterprise facility 102 client facility 144 while that client facility 144 is mobile, plugged into an unprotected client facility 144 at a secondary location 108, and the like. A mobile device, oncc connected to an unprotected compuler resource, may become a physical proximity lhreai I 10. in embodiments, the end-point computer security facility 152 may provide enterprise facility I 02 computing resources with threat proteclion against physical proximily threats liD, br instance, through scanning the device prior to allowing data transfers, through security validation cerlilicates, through establishing a safe tone within the enterprise facility 102 computing rcsourcc to transfer data into for evaluation, and thc like.

[0066] Now that the overall system has been described, we turn towards a set of virtualization security protection embodiments. It should be understood that the following cmbodiments may be managed through a threat management facility 100 along with other services, such as those described herein.

[0067] A multi-part internal-external process system may he used to provide security protection to a virtual client environment, such as though an end-point computer security facility 152 as described herein, that is distributed between an internal security portion (e.g. with the virtualized client) and an external security portion (e.g. on a host server managing a plurality of virtualized clients). In embodiments, the internal protection process may be similar in lunction and design to the external process hut smafler and less functional, in thai it may only need to provide protection to a singular computing environment, namely inside of the virtual machine in which it resides. The external system may in turn he more complex since it may need to deal with multipk environments, such as to secure and coordinate security protection among inLernal processes and other external processes bi)r the totality of high availability security protection. in embodiments, the system may dynamically adjust to a transitory stale of the system as a whole. For example, the system may dynamically transition heiween the external process and the internal process when the virtual client environment on a desktop running on a server is transitioned to a laptop computer that becomes disconncctcd in the process. in another cxamplc, the systcm may dynamically switch to the internal process upon loss of the external security protection device leaving the inside system as thc last layer of defense, which thcn providcs security protection. in embodiments, in normal operation the inside process may lay dormant except for communication with the outsidc process providing thc default protection. in embodiments, the oulside environmeni may or may not exisi on (be clieni device being pr()lecled. In embodimenis, Ihe inside process may Lake over when Ihe external process is unavailable, when Lhe inside process can no longer communicate with Ihe outside process, when Lhe external process is inaccessiffle, when an oulside facilily initiates a Iransier Irom the external lo the inLernal process (e.g. through a policy management facility 112, a sceurity managcment facility 122, during updates 120 to the cxternal process, through network access facilities 124), when a uscr rcquests a transfer (e.g. transferring a virtual computer to a physical computing machine), by an administration 134 rcquest, and the like, in this way, thc client may always be protected, even when the client looses connectivity with the outside protection process. In embodiments, the cxtcrnal process may bc extcrnal to an individual virtual machine but located on the host server that is managing the virtual machine, external to the host machine but within an enterprise associated with the virtual machine, external to the enterprise, and the like, and may he updated, such as through the updates facility 120 as discussed herein.

[00681 In embodiments, the internal-external security facility may he used to secure virtualized environments that need high availability security protection and high perlormance distrihuled modes oF operalions, such as providing continuous proleclion wilh ihe inLemal-exLerna system coordinaLing securiLy, providing for a virtuali,ed environment to he Lransitory existing on a server or clieni machine and adjusling Ihe hehavior of the securiLy prolection dynamically, providing a secure virlual environmeni Lhrough a process thai is external Lo the environmeni which may reside on its ow-n dedicaLed device providing superior perFormance characLeristics of the system as a whole, providing a high availability production environmeni where Ihe loss oF a securily proleclion process will he resumed by anoLher exiernal or iniernal multi-pan protection process, and Ihe like.

110069] Referring Lo Fig. 2, in embodiments an external securiLy facilily 202 may providc security protection 210A to a virtualized client environment 20S as long as communication 212A is maintained between the external security facility 202 and an internal sccurity facility 204 associated with the virtualized client 20S. If the internal security facility 204 loses communication 212B with the external security facility 202, thc internal security facility 204 may thcn take over security protection 210B of the virLuálized client environment 208. In embodiments, the external securily FaciliLy 202 may provide Ihe deFault or normal' securily proleclion lo ihe viriualiied clieni environment 20S, and the internal securiLy facilily 204 may provide securily protection 21DB in ihe eveni LhaL ihe external security Facility 202 is unavailable, such as though a thss in communications connectivily 21 2B with the exiernal securily Facilily 202. That is, the internal security facility 204 may normally stay in au idle state, but providc protection 210B to the virtualizcd clicnt cnvironment 208 whcn it is dctcrmincd that the external security facility 202 may no longer be providing protection to the virtualized client environmcnt 208 through an indication providcd through communication bcing lost 212B from the external security facility 202.

[0070] Referring to Fig. 3, in embodimcnts an external sccurity facility 202 may reside on a server 142A, such as in an enterprise 102 and connected to a plurality of clients 144. The clients 144 may he physical computers, hut where their client environments are virtual client environments 208 managed through the server 142A. In embodiments, the virtual client environments 208 may he protected though the multi-part internal-external process system, where the external security facility 202 protects Lhem whfle the physical cflenis 144 are in communications with the server I 42A, hut where an inlernal securily facility 204 takes over when LhaL communication conneclion is osL, even ii only For a short Lime. Tn an example, the exLernal securiLy FaciliLy 202 may he located on a server 142A and conFigured Lo provide protection 2!OA to a pluraliLy oF virLuálized client environments 208 lhrough the server I 42A, where each virLualited cfient environment 208 is associaLed wiih a physical clieni 144, such as a deskkp compuLer, laptop computer, mobile compuLing Facifity, and ihe like. In addition, an inLerna security Facility 204 maybe associaled wiih each virtualized clienL environment 208, where each of ihe iniernal securily Facilities 204 mainlains a communication connection 2!2A wiLh Lhe external security Facilily 202, and Lakes over securily protection 210B if the communication is lost 212B. For instancc, a physical client 144H may he running a virtualized client environment 208A through the server 142A. The physical clicnt 144H may also be associated with an internal sccurity facility 204A, that may run in an idle state while maintaining communications 212A with the external sccurity facility 202. Howevcr, should thc communications be lost 212B, the internal security Facilily 204A would Lake over securily protection 21 OB of Ihe virtualized client environment 20S. An example of ibis condilion, where (be communication is losI 21 2B, may include a desktop compuler being disconnecied Irom (be network, such as to move ii Lu a new location; a laptop or oLber mobde computing Facilily Liken out of the enlerprise 102 and away 1mm the enterprise network; a laphp powered up oulside the enterprise 102; and the like. In this way, a client 144 may be providcd continuous security protection, rcgardlcss of whether the clicnt 144 is directly connectcd to the extcrnal security facility 202 or disconnected. From a security administrator perspective, this multi-part internal-extcrnal process system may allow them to maintain the computer security protection system through the external security facility 202, while being assured that protcction is seamlessly maintained by the intcrnal security facility 204 when the client is not in communications with the external security facility 202. Further, security updates that have been deployed through the external security facility 204 while the client 144 is disconnected may be provided to physical clients 144 when communications is reestablished 2 12A.

[0071] Referring to Fig. 4, in embodiments the present invention may provide security to a virLualized client 402 hy providing an exiernal securily FaciliLy Lo proleci (be virLualized client environment ol at leasL one of a pluralily of virLualized clients 404: providing an inlernal securily FaciliLy resideni wilh Lhe clienL environmeni, wherein the inLernal security facility is enabled to communicale wiih Ihe external securiLy facilily 408: perlorming securiLy protecLion oF the clieni environmeni through (be external security facility when the iniernal securily Facility conLinuously receives communicaLion from the external securiLy FaciliLy 41 0: and perlorming securiLy protection ol the clieni environment through the internal security Facilily when communication wiih ihe external security Facilily is losi 412. Tn embodimenis the virlual client environmenL 208 maybe operaLing on a server 142A and in association wilh a physical client device 144, such as where the communication with thc extcrnal sceurity facility 202 is not rcceived due to the physical client device 144 losing communications connectivity with the server 142A, and thc internal security facility 204 resides on the physical client device 144 and providcs the security protection until connectivity with the server 142A is re-established. The cxtcrnal security facility 202 may be a centralizcd extcrnal security facility rcsidcnt on a server 142A. The external securily facility 202 may he resideni on Ihe clieni device 144.

The external 202 and internal 204 securiLy fad Ii lies may provide proleclion to Lhe virLuálized client 208 against maficious code, a malicious application, an unwanled application, and Ihe like. The external 202 and inLernál 204 securily Facilities may provide security through a securily managemenL faciliLy 122, as described herein. The cxtcrnal 202 and internal 204 sccurity facilities may providc security through an cnd-point computer security facility 152, as described hcrein. the level of sccurity to the virtualized client 208 as established by the external security facility 204 may be maintaincd by the intcrnal security facility 204. the level of security to thc virtualizcd client 208 as established by the external security facility 202 may he maintained in part by the internal sccurity facility 204. Thc protcetion provided by the internal sccurity facility 204 may he similar in function and design to the external security facility 202.

The internal security facility 204 may be smaller and less functional than the external security facility 202. The communication may he determined to he lost after communications from the external security facility 202 to the internal security facility 204 is not received for a predetermined time. The communication lost may he a Lransilory change in communications heLween the inLernal 204 and exLernaI 202 security facilities. The communicaLion may he lost due Lu a disconneclion from a neLwork connection. The communicalion may he lost due to a disruplion of a neiwork connection.

The communication maybe lost is due to conditions internal Lu a physical clienL device 144 associated with the virtual client. The communication maybe thsL as Lhe virtualized cfient environment 208 is iransitioned between dilFereni physical clieni devices 144. The combined security proteclion of Lhe inLerna 204 and exLerna 202 security Facilities may he a mulLi-pari distrihuLed vendor neuLral virtualization system, such as where no ihird-party API is required to run ihe system. The iniernal security Facility 204 may he operaLionally dormani except br communicaLion wiih the external securiLy Facilily 202 until the communication is lost.

[0072] In embodiments, a loss of communications' may not he required in order for security protcction to be switched from a host-providcd security facility to a client-provided security facility. For example, a server and virtualized client machines may be collocated on the samc host, where the scrver is protccting the clicnt machincs, and where the clieni machines may he accessed from a clienL machine (e.g. a laplop) via a remole access prolocol. In the instance when ihe user wants Lo use the client machine away Irom ihe ollice, the process may he that Lhe user "checks out" the client virLual machine 1mm the server lo the lapLop. An automatic process provided by the virLuahzalion system may then freeze the clieni on Ihe server, copy it over the laptop, and rcstart it on thc laptop. In this proccss there is no point where communications is necessarily lost with thc scrver. However, the system may thcn providc a local dormant protection service associated with the virtualized client, where the dormant protection scrvicc would be activated by the virtualization systcm that knows thc rclationship between the protecting server and the client virtual machine.

[0073] Referring to Fig. 5, a host machinc 502 may manage a plurality of virtual machines 510, such as though a supervisory process 504. The host machine 502 may also provide a threat management facility 508 for providing security protection to the plurality of virtual machines 510, where the threat management facility 508 maybe a threat management facility provided locally on the host machine 502 at the enterprise: a threat management facility 100 provided either locally on the host machine, externally wilhin the enlerprise, remote from the enterprise; and the like. A local securily facilily 51 4A-B maybe provided 10 aL least a iirsL virLual machine 512 oF the puraliLy of virlual machines 510, where the local securily faciliLy SI 4A maybe in a dormani slale when Lhe Lhreat managemeni Facility 508 is prolecting Lhe virLual machine 512. However, in the absence of ihe Lhreat managemenL FaciliLy 508, the virtual machine's 5 I 2 local securily facility 514B may Ihen take over, and provide securiLy prolection Ior the virtual machine 512. In emhodimenLs, ihe initiaLion of Lhe swiLch from the virtual machine 512 heing prolecied hy Lhe LhreaL managemenL facilily 502 Lu Ihe ocal security Facility 51 4B maybe hy a user of ihe virLual machine 512, an adminisLralion Facilily 134, through security managemenl 122, ihrough policy management 112, Lhrough network access rules 124, hy thc host machine 502, by thc thrcat managcmcnt facility SOS, 100, and the like.

[0074] Referring to Fig. 6, in embodiments, methods and systems of the present invcntion may provide security to a virtual machine 602, comprising a host machine that manages a plurality of virtual machines associated with an enterprise through a supcrvisory proccss, where the host machine includcs a threat management facility coupled in a communicaling relalionship wiih ihe pura1ity of virlual machines and where the Lhreai managemenl facility enforces a securiLy policy o1 ihe enterprise br Ihe pluralily of virtual machines 602. A first virlual machine brom among ihe plurality of virLuál machines may operale in at leasi two slates (I) 608 the lirsi virlual machine may he capable of operaling in a first slale on the host machine where Ihe securily pohey is cnforced by the threat management facility, and (2) 610 the first virtual machine may be capabic of opcrating in a second state wherc a local sccurity facility executabic on the first virtual machine autonomously enforces the security policy in the absence of the threat managcmcnt facility, in embodiments, the transition from the first statc to thc second state may he initiated automatically when the virtual machine loses the communicating rclationship with the host machinc, when thc virtual machine loses the communicating relationship with the threat management facility, and the like. The first virtual machine may he executing on the host machine while operating in the second state, on a virtual machine separate from the plurality of virtual machines, and the like.

Further, the first virtual machine may he executing on a hardware-computing device independent from the host machine while operating in the second state, such as a personal compuler, a lapiop compuler, a mobile communicalions device, and the like. A user of Ihe hardware-compuling device may iniliale a Iransilion 1mm Ihe lirsi state to the second slale in order Lu operate the lirsi virlual machine on ihe hardware-compuLing device independenily of the hosl machine. The hosl machine may iniliale Ihe transiLion 1mm Ihe lirsi state Lo Ihe second slate. The securily policy implemenied by the local securily facility maybe a subsel oF the securiLy policy impkmenied by the ihreai managemeni facility. The securiLy facilities may provide proleclion against malicious code, a malicious appficalion, an unwanied application, and the like.

OO75] In embodiments, a computer program producL of Lhe presenL invenlion may comprise computer execuLahle code embodied in a non-Lransitory computer readahle medium that, whcn executing on one or morc computing devices, provides a virtual machine configured to perform the steps of (1) operating in a first state on a host machine that hosts a plurality of virtual machines and provides a thrcat management facility for enforcing a security policy for the virtual machine: and (2) operating in a second state, where the second state includes a local security facility configured to autonomously enlorce Ihe securily policy in Ihe absence oF the Lhreai managemenl facility. Tn embodiments, the Iransilion from the lirsi state to the second slate may he inilialed automalically when Ihe virlual machine loses Ihe communicaling relationship with the hosi machine, when the virtua' machine loses Ihe communicaling relalionship wiih ihe Lhreat managemenl Facility, and the like. The first virlual machine may he executing on thc host machine whilc operating in the second state, on a virtual machine separate from thc plurality of virtual machines, and the like. Further, thc first virtual machine may be executing on a hardware-computing device independent from the host machine while operating in the second statc, such as a personal computer, a laptop computcr, a mobile communications device, and the like. A user of the hardware-computing device may initiate a transition from the first state to the second state in order to opcrate the first virtual machine on the hardware-computing device independently of the host machine.

The host machine may initiate the transition from the first state to the second state. The security policy implemented by the local security facility may he a subset of the security policy implemented by the threat management facility. The security facilities may provide protection against malicious code, a malicious application, an unwanted application, and Ihe like.

OO76] The methods and syslems described herein may he deployed in pan or in whole through a machine ihal executes computer soFtware, program codes, andlor insiruclions on a processor. The preseni invention may he implemented as a method on Ihe machine, as a system on apparalus as part of or in relalion Lo Lhe machine, on as a compuler program produci embodied in a compuLer readahle medium executing on one or more of Lhe machines. The processor may he part of a server, clieni, neLwork infrasirucLure, mobile computing platform, sLalionary computing platform, or olher compuling plaiform. A processor may he any kind of compulalional or processing device capahk ol execuling program insLruclions, codes, binary inslruclions and the like. The processor may be or include a signal processor, digital proccssor, embcdded proccssor, microprocessor or any variant such as a co-processor (math co-processor, graphic co-processor, communication co-processor and thc likc) and the like that may dircctly or indirectly facilitate execution of program code or program instructions stored thereon. In addition, the processor may enable cxecution of multiple programs, threads, and codes.

The threads may he executed simul1aneousy lo enhance the perlormance @1 the processor and Lu facilitate simulianeous operations of ihe application. By way of implementaLion, methods, program codes, program instructions and the like described herein may he implemented in one or more Lhread. The thread may spawn olher threads Ihat may have assigned pnonhies associated with them: the processor may execute ihese Lhreads based on priority or any other order based on instructions provided in thc program code. The processor may include mcmory that stores methods, codcs, instructions and programs as described herein and elsewhere. The processor may access a storage medium through an interfacc that may store methods, codes, and instructions as described herein and elsewhere. The storage medium associated with the processor for storing methods, programs, codes, program instructions or other type of instructions capable of being executed by the computing or processing device may include but may not be limited to one or more of a CD-ROM, DYD, memory, hard disk, flash drive, RAM, ROM, cache and the like.

[0077] A processor may include one or more cores that may enhance speed and performance of a multiprocessor. In embodiments, the process may be a dual core processor, quad core processors, oLher chip-kvel multiprocessor and the like that combine Iwo or more independent cores (called a die).

OO78] The methods and sysLems described herein may he deployed in pan or in whole through a machine thai executes computer soFtware on a server, client, lirewall, galeway, huh, router, or oiher such computer and/or neiworking hardware. The software program maybe associated wiih a server ihat may include a file server, pnini server, domain server, inlernel server, iniranel server and oiher variants such as secondary server, host server, disirihuted server and the like. The server may include one or more of memories, processors, computer readable media, storage media, ports (physical and virLuál), communicaLion devices, and interfaces capable of accessing oiher servers, clients, machines, and dcviccs through a wircd or a wireless medium, and the like. lie methods, programs or codes as described herein and elsewhere may he executed by the scrver. in addition, other dcvices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the server.

[0079] The server may provide an interface to olher devices including, wilbout limilation, clients, other servers, printers, datahase servers, prini servers, lile servers, communication servers, distrihuied servers and the like. Additionally, ibis couphng and/or connection may facililale remote execution ol program across the network. The networking of some or all of these devices may facilitale paraUel processing of a program or method at one or more location without dcviating from thc scope of the invcntion. in addition, any of thc dcvices attachcd to the scrver through an interface may include at least one storage medium capable of storing methods, programs, code and/or instructions. A central repository may provide program instructions to be executed on different devices. In this implementation, the remote repository may act as a storagc medium for program code, instructions, and programs.

[00801 The software program may be associated with a client that may include a file client, print client, domain client, internet client, intranet client and other variants such as secondary client, host client, distributed client and the like. The client may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other clients, servers, machines, and devices Lhrough a wired or a wireless medium, and Ihe Uke. The methods, programs or codes as described herein and elsewhere maybe executed by the client. In addition, oLher devices required for execution ol methods as described in this application maybe considered as a part of Ihe infrastructure associated with the clieni.

[0081] The client may provide an inierface Lo other devices including, withoul hmitation, servers, other clients, prinlers, database servers, prinL servers, lile servers, communicalion servers, distrihuLed servers and Ihe like. Addilionally, Lhis coupling andlor connection may facililale remole execulion @1 program across the network. The networking of some or all of Ihese devices may facililale parallel processing of a program or method at onc or more location without deviating from thc scope of the invention. In addition, any of the devices attached to the client through an interface may include at least one storagc medium capable of storing mcthods, programs, applications, code and/or instructions. A central repository may provide program instructions to he executed on diftereni devices. In Ihis implemenialion, Ihe remote repository may ad as a slorage medium br program code, instructions, and programs.

OO82] The methods and syslems described herein may he deployed in pan or in whole through network infrasiruclures. The neiwork infrastructure may include elements such as computing devices, servers, routers, hubs, firewalls, clients, personal computers, communication dcvices, routing devices and othcr active and passive devices, modules and/or components as known in thc art. Thc computing and/or non-computing device(s) associated with the network infrastructure may include, apart from other components, a storage medium such as flash mcmory, buffcr, stack, RAM, ROM and the like. The processes, methods, program codes, instructions described herein and elsewhere may be cxecuted by one or morc of the nctwork infrastructural elements.

[00831 The methods, program codes, and instructions described herein and elsewhere may be imp'emented on a celthar network having multiple cells. The cellular network may either be frequency division muhiple access (FDMA) network or code division muhiple access (CDMA) network. The cellular network may indude mobile devices, cell sites, base stations, repeaters, antennas, towers, and the like. The cell network may he a (JSM, (JPRS, 3(3, RYDO, mesh, or oLher neiworks lypes.

OO84] The methods, programs codes, and instructions described herein and elsewhere may he implemented on or through mohile devices. The mobile devices may include navigalion devices, cell phones, mohile phones, mobile personal digital assislanis, laptops, palmiops, neihooks, pagers, elecironic hooks readers, music players and Ihe like. These devices may include, aparl from other components, a slorage medium such as a hash memory, huller, RAM, ROM and one or more compuling devices. The compuling devices associaled wiLh mohfle devices may he enabled lo execule program codes, methods, and insiruclions siored Ihereon. Aliernalively, ihe mohile devices may he conligured Lo execuLe insiruclions in collaboration wiih oLher devices. The mobile devices may communicatc with base stations intcrfaced with servers and configured to execute program codes. The mobile devices may communicate on a peer to peer network, mesh network, or other communications network. the program code may bc stored on the storage medium associated with the server and executed by a computing device cmbcddcd within the server. Ic basc station may include a computing dcvicc and a slorage medium. The slorage device may store program codes and instructions executed hy Ihe computing devices associaled wilh Ihe base slalion.

OO85] The compuler soFtware, program codes, and/or insiruclions may he slored and/or accessed on machine readable media Ihal may include: compuler componenls, devices, and recording media thai retain digital data used for computing br some interval of time; semiconductor storage known as random access mcmory (RAM); mass storage typically for more permanent storage, such as optical discs, forms of magnetic storage like hard disks, tapes, drums, cards and other types; processor registers, cache mcmory, volatile memory, non-volatile memory; optical storagc such as CD, DYD; removable media such as flash memory (e.g. USB sticks or keys), floppy disks, magnetic tape, paper tapc, punch cards, standalone RAM disks, Zip drivcs, removable mass storage, off-line, and the like: other computer memory such as dynamic memory, static memory, read/write storage, mutable storage, read only, random access, sequential access, location addressable, file addressable, content addressable, network attached storage, storage area network, bar codes, magnetic ink, and the like.

[00861 The methods and systems described herein may transform physical andlor or inlangible items 1mm one slate lo anoiher. The meihods and systems described herein may also transk)rm dala representing physical and/or intangible items From one slale Lo anoiher.

OO87] The elemenls described and depicted herein, including in how charts and hlock diagrams throughoul ihe Figures, imp'y ogical houndaries between Lhe dements. However, according lo software or hardware engineering praclices, ihe depicied elements and Lhe litnclions ihereof may he impkmented on machines Lhrough compuler execuLable media having a processor capahle of execuling program instruclions slored thereon as a monoliihic software sirucLure, as sLandalone software modules, or as modifies IhaL employ exLerna routines, code, services, and so forLh, or any combination of these, and all such implementations may bc within the scope of thc present disclosure.

Examples of such machines may include, but may not he limited to, personal digital assistants, laptops, pcrsonal computers, mobile phoncs, other handheld computing devices, medical equipment, wired or wireless communication devices, transducers, chips, calculators, satellites, tablet PCs, elcctronic books, gadgets, electronic devices, devices having arti!iciál intefligence, computing devices, nelworlcing equipments, servers, roulers and Ihe like. Furthermore, ihe elements depicied in Ihe flow chari and hlock diagrams or any oLher logical componeni maybe implemented on a machine capahk oF executing program inslruclions. Thus, while the Foregoing drawings and descriptions sd!orth lunctional aspecis of the disclosed syslems, no particular alTangement of so1tw*for implcmenting these functional aspects should be inferred from thesc descriptions unless explicitly stated or otherwise clear from thc context.

Similarly, it will be appreciated that the various steps identified and described above may be varied, and that thc order of steps may be adapted to particular applications of the techniques disclosed herein. All such variations and modifications are intended to fall within the scope of this disclosure. As such, the depiction and/or description of an ordcr for various steps should not be understood to require a particular order of execution for those steps, unless required by a particular application, or explicitly stated or otherwise clear from the context.

[00881 The methods and/or processes described above, and steps thereof, may he realized in hardware, software or any combination of hardware and software suitable br a parlicular applicalion. The hardware may include a general purpose compuler and/or dedicaled computing device or specilic computing device or particular aspect or componeni oF a specilic computing device. The processes maybe realized in one or more microprocessors, microconlrollers, embedded microcontrollers, programmable digital signal processors or other programmable device, along with interna' and/or external memory. The processes may also, or instead, he embodied in an application specilic inlegrated circuit, a programmable gale array, programmable array logic, or any other device or combination oF devices that may he conligured to process electronic signals. It will fttriher he appreciated ihal one or more of the processes may he realiied as a computer executable code capable ol heing execuled on a machine readable medium.

[0089] Thc computcr cxccutable code may be crcated using a structurcd programming language such as C, an object oriented programming language such as C++, or any other high-lcvel or low-lcvel programming language (including asscmbly languages, hardware description languages, and database programming languages and technologies) that may be stored, compilcd or interprcted to run on one of the above devices, as well as heterogeneous combinations ol processors, processor architectures, or combinations of different hardware and software, or any other machine capable of executing program instructions.

[0090] Thus, in one aspect, each method described above and combinations thereof may he embodied in computer executable code that, when executing on one or more computing dcvices, performs the steps thereoL In another aspect, thc methods may be embodied in systems that perform the steps thereoL and may be distributed across devices in a number of ways, or all of the functionality may be integrated into a dedicated, standalone device or other hardware. In another aspect, the means for performing the steps associated with the processes described above may include any of the hardware and/or software described above. All such permutations and combinations are intended to fall within the scope of the present disc'osure.

[0091] While the invention has been disclosed in connection with the preferred embodiments shown and described in detail, various modifications and improvements thereon will become readily apparent to those skilled in the art.

Accordingly, the scope of the present invention is not to he limited by the foregoing examples, hut is to he understood in the broadest sense allowable by law.

[0092] All documents referenced herein are hereby incorporated by reference.

Claims (17)

1. CLATMSI. A syslem comprising: a host machine that manages a pluralily of virtual machines associaled wiih an enterprise through a supervisory process, the host machine including a ihreai management facility coupled in a communicating relationship with the plurality of virtual machines and enforcing a security policy of the enterprise for the plurality of virtual machines; and a first virtual machine from among the plurality of virtual machines, the first virtual machine capable of operating in a first state on the host machine wherein the security policy is enforced by the threat management facility, and the first virtual machine capable of operating in a second state wherein a local security facility executable on the first virtual machine autonomously enforces the security policy in the absence of the threat management facility.
2. 2. The system of claim 1, wherein a transition from the first state to the second state is iniliated aulomaticálly when the virtual machine thses the communicating relalionship wilh Ihe host machine.
3. 3. The syslem of claim 1, wherein a transition from ihe lirst slale Lu Lhe second state is iniLiated auLomaticálly when the virtual machine thses the communicating relaLionship wilh ihe Lhreat management facility.
4. 4. The syslem of claim 1, wherein ihe firsl virtual machine is executing on Lhe hosl machine while operating in the second slate.
5. 5. The system of claim 1, wherein the threat management facility is operating on a virtual machine separate from the plurality of virtual machines.
6. 6. The syslem of claim 1, further comprising a hardware-computing device independent Irom the host machine, wherein Ihe lirsi virtual machine is executing on the hardware-compuling device while operating in the second slate.
7. 7. The system of claim 6, wherein a user of the hardware-computing device initiates a transition from thc first state to thc second state in order to operate the first virtual machine on the hardware-computing device independently of the host machine.
8. S. Ihe system of claim 6, wherein the host machine initiates a transition from the first state to the second state.
9. 9. The system of claim 1, wherein the security policy implemented by the local security facility is a subset of the security policy implemented by the threat management facility.
10. 10. The system of claim 1, wherein the security facilities provide protection against at least one of malicious code, a malicious application, and an unwanted application.
11. Ii. A method comprising: providing a host machine that manages a plurality of virtual machines associated with an enterprise through a supervisory process, executing a threat management facility on the host machine coupkd in a communicating relationship with the plurality of virtual machines, the threat management facility enforcing a security policy of the enterprise for the plurality of virtual machines; operating a lirst virtual machine from among the plurality of virtual machines in a first slate on the host machine wherein the security policy is enforced by the threat management facility: and operating the first virtual machine in a second state wherein a local security facility executable on the first virtual machine autonomously enforces the security policy in the absence of the threat management facility.
12. 12. The meihod oF claim I I, wherein a Iransilion Irom Ihe first stale Lu Ihe second state is iniliated aulomaticálly when the virtual machine thses the communicating relalionship wiLh Ihe lhreat management facility.
13. 13-The meihod oF claim II, wherein Ihe flrs virtual machine is executing on the hosl machine while operating in the second statc.
14. 14. The method of claim 11, further comprising a hardware-computing device independent from the host machine, whcrcin the first virtual machinc is cxccuting on the hardware-computing device while operating in the second state.
15. 15. The method of claim 11, wherein the security facilities provide protection against at least one of malicious code, a malicious application, and an unwanted application.
16. 16. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more compuling devices, provides a virLual machine conligured lo perlorm Ihe steps of: operaling in a lirst slale on a host machine Ihat hosts a pluralily oF virtua' machines and provides a lhreaL managemenl facilily br enlorcing a securily policy br Ihe virtua' machine; and operaling in a second slate, wherein Ihe second slate includes a local security facility conbigured lo autonomous'y enk)rce Ihe security policy in Ihe absence of ihe Lhreat managemeni Facility.
17. 17. The compuler program produci oF claim 1 6, wherein a Iransition Irom the first slale lo Ihe second slale is iniliated aulomatically when the virtual machine loses a communicating rclationship with the threat management facility of the host machine.

    iS. The computcr program product of claim 16, wherein the first virtual machinc is executing on the host machine while operating in the second state.19-The compuler program produci oF claim 1 6, ftirther comprising a hardware-compuling device independeni from the hosi machine, wherein the lirsi virtual machine is executing on lhe hardware-computing device while operating in the second slate.20. The compuler program produci oF claim 16, wherein the securily Facililies provide protection against at least onc of malicious code, a malicious application, and an unwanted application.